{
 "cells": [
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "03c8b068-765c-4a17-8f4a-68871d8da43f",
   "metadata": {},
   "outputs": [],
   "source": [
    "# Converted https://github.com/ars3n11/Aggressor-Scripts/blob/master/ProcessTree.cna into a Mythic script for tagging processes"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "d904f1cb-0ab4-45c9-a8e4-f5b367525de5",
   "metadata": {},
   "outputs": [],
   "source": [
    "import asyncio\n",
    "from mythic import mythic"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "1a3d574c-e59d-41c2-9e5e-5d4aecc34c6d",
   "metadata": {},
   "outputs": [],
   "source": [
    "current_tag_types = []"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "92809a43-dd09-4ee9-b1a8-52185a89dd9b",
   "metadata": {},
   "outputs": [],
   "source": [
    "tagtypeDefinitions = {\n",
    "        \"EDR\": {\n",
    "            \"color\": \"#cc3f3f\",\n",
    "            \"description\": \"AV / EDR classification\"\n",
    "        },\n",
    "        \"explorer\": {\n",
    "            \"color\": \"#9eb4ce\",\n",
    "            \"description\": \"explorer and winlogon processes\"\n",
    "        },\n",
    "        \"browser\": {\n",
    "            \"color\": \"#17827a\",\n",
    "            \"description\": \"browser processes\"\n",
    "        },\n",
    "        \"admin\": {\n",
    "            \"color\": \"#808cc7\",\n",
    "            \"description\": \"admin tools\"\n",
    "        },\n",
    "        \"agent\": {\n",
    "            \"color\": \"#c2c616\",\n",
    "            \"description\": \"agent callback\"\n",
    "        }\n",
    "}"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "21c8458a-b790-426a-a7f9-a3e8769f2e78",
   "metadata": {},
   "outputs": [],
   "source": [
    "av = [\"SecurityHealthService\", \"Tanium\", \"360RP\", \"360SD\", \"360Safe\", \"360leakfixer\", \"360rp\", \"360safe\", \"360sd\",\n",
    "          \"360tray\", \"AAWTray\", \"ACAAS\", \"ACAEGMgr\", \"ACAIS\", \"AClntUsr\", \"ALERT\", \"ALERTSVC\", \"ALMon\", \"ALUNotify\",\n",
    "          \"ALUpdate\", \"ALsvc\", \"AVENGINE\", \"AVGCHSVX\", \"AVGCSRVX\", \"AVGIDSAgent\", \"AVGIDSMonitor\", \"AVGIDSUI\",\n",
    "          \"AVGIDSWatcher\", \"AVGNSX\", \"AVKProxy\", \"AVKService\", \"AVKTray\", \"AVKWCtl\", \"AVP\", \"AVP\", \"AVPDTAgt\",\n",
    "          \"AcctMgr\", \"Ad-Aware\", \"Ad-Aware2007\", \"AddressExport\", \"AdminServer\", \"Administrator\", \"AeXAgentUIHost\",\n",
    "          \"AeXNSAgent\", \"AeXNSRcvSvc\", \"AlertSvc\", \"AlogServ\", \"AluSchedulerSvc\", \"AnVir\", \"AppSvc32\", \"AtrsHost\",\n",
    "          \"Auth8021x\", \"AvastSvc\", \"AvastUI\", \"Avconsol\", \"AvpM\", \"Avsynmgr\", \"Avtask\", \"BLACKD\", \"BWMeterConSvc\",\n",
    "          \"CAAntiSpyware\", \"CALogDump\", \"CAPPActiveProtection\", \"CAPPActiveProtection\", \"CB\", \"CCAP\", \"CCenter\",\n",
    "          \"CClaw\", \"CLPS\", \"CLPSLA\", \"CLPSLS\", \"CNTAoSMgr\", \"CPntSrv\", \"CTDataLoad\", \"CertificationManagerServiceNT\",\n",
    "          \"ClShield\", \"ClamTray\", \"ClamWin\", \"Console\", \"CylanceUI\", \"DAO_Log\", \"DLService\", \"DLTray\", \"DLTray\",\n",
    "          \"DRWAGNTD\", \"DRWAGNUI\", \"DRWEB32W\", \"DRWEBSCD\", \"DRWEBUPW\", \"DRWINST\", \"DSMain\", \"DWHWizrd\", \"DefWatch\",\n",
    "          \"DolphinCharge\", \"EHttpSrv\", \"EMET_Agent\", \"EMET_Service\", \"EMLPROUI\", \"EMLPROXY\", \"EMLibUpdateAgentNT\",\n",
    "          \"ETConsole3\", \"ETCorrel\", \"ETLogAnalyzer\", \"ETReporter\", \"ETRssFeeds\", \"EUQMonitor\", \"EndPointSecurity\",\n",
    "          \"EngineServer\", \"EntityMain\", \"EtScheduler\", \"EtwControlPanel\", \"EventParser\", \"FAMEH32\", \"FCDBLog\", \"FCH32\",\n",
    "          \"FPAVServer\", \"FProtTray\", \"FSCUIF\", \"FSHDLL32\", \"FSM32\", \"FSMA32\", \"FSMB32\", \"FWCfg\", \"FireSvc\", \"FireTray\",\n",
    "          \"FirewallGUI\", \"ForceField\", \"FortiProxy\", \"FortiTray\", \"FortiWF\", \"FrameworkService\", \"FreeProxy\",\n",
    "          \"GDFirewallTray\", \"GDFwSvc\", \"HWAPI\", \"ISNTSysMonitor\", \"ISSVC\", \"ISWMGR\", \"ITMRTSVC\",\n",
    "          \"ITMRT_SupportDiagnostics\", \"ITMRT_TRACE\", \"IcePack\", \"IdsInst\", \"InoNmSrv\", \"InoRT\", \"InoRpc\", \"InoTask\",\n",
    "          \"InoWeb\", \"IsntSmtp\", \"KABackReport\", \"KANMCMain\", \"KAVFS\", \"KAVStart\", \"KLNAGENT\", \"KMailMon\",\n",
    "          \"KNUpdateMain\", \"KPFWSvc\", \"KSWebShield\", \"KVMonXP\", \"KVMonXP_2\", \"KVSrvXP\", \"KWSProd\", \"KWatch\",\n",
    "          \"KavAdapterExe\", \"KeyPass\", \"KvXP\", \"LUALL\", \"LWDMServer\", \"LockApp\", \"LockAppHost\", \"LogGetor\", \"MCSHIELD\",\n",
    "          \"MCUI32\", \"MSASCui\", \"ManagementAgentNT\", \"McAfeeDataBackup\", \"McEPOC\", \"McEPOCfg\", \"McNASvc\", \"McProxy\",\n",
    "          \"McScript_InUse\", \"McWCE\", \"McWCECfg\", \"Mcshield\", \"Mctray\", \"MgntSvc\", \"MpCmdRun\", \"MpfAgent\", \"MpfSrv\",\n",
    "          \"MsMpEng\", \"NAIlgpip\", \"NAVAPSVC\", \"NAVAPW32\", \"NCDaemon\", \"NIP\", \"NJeeves\", \"NLClient\", \"NMAGENT\",\n",
    "          \"NOD32view\", \"NPFMSG\", \"NPROTECT\", \"NRMENCTB\", \"NSMdtr\", \"NTRtScan\", \"NVCOAS\", \"NVCSched\", \"NavShcom\",\n",
    "          \"Navapsvc\", \"NaveCtrl\", \"NaveLog\", \"NaveSP\", \"Navw32\", \"Navwnt\", \"Nip\", \"Njeeves\", \"Npfmsg2\", \"Npfsvice\",\n",
    "          \"NscTop\", \"Nvcoas\", \"Nvcsched\", \"Nymse\", \"OLFSNT40\", \"OMSLogManager\", \"ONLINENT\", \"ONLNSVC\", \"OfcPfwSvc\",\n",
    "          \"PASystemTray\", \"PAVFNSVR\", \"PAVSRV51\", \"PNmSrv\", \"POPROXY\", \"POProxy\", \"PPClean\", \"PPCtlPriv\", \"PQIBrowser\",\n",
    "          \"PSHost\", \"PSIMSVC\", \"PXEMTFTP\", \"PadFSvr\", \"Pagent\", \"Pagentwd\", \"PavBckPT\", \"PavFnSvr\", \"PavPrSrv\",\n",
    "          \"PavProt\", \"PavReport\", \"Pavkre\", \"PcCtlCom\", \"PcScnSrv\", \"PccNTMon\", \"PccNTUpd\", \"PpPpWallRun\",\n",
    "          \"PrintDevice\", \"ProUtil\", \"PsCtrlS\", \"PsImSvc\", \"PwdFiltHelp\", \"Qoeloader\", \"RAVMOND\", \"RAVXP\", \"RNReport\",\n",
    "          \"RPCServ\", \"RSSensor\", \"RTVscan\", \"RapApp\", \"Rav\", \"RavAlert\", \"RavMon\", \"RavMonD\", \"RavService\", \"RavStub\",\n",
    "          \"RavTask\", \"RavTray\", \"RavUpdate\", \"RavXP\", \"RealMon\", \"Realmon\", \"RedirSvc\", \"RegMech\", \"ReporterSvc\",\n",
    "          \"RouterNT\", \"Rtvscan\", \"SAFeService\", \"SAService\", \"SAVAdminService\", \"SAVFMSESp\", \"SAVMain\", \"SAVScan\",\n",
    "          \"SCANMSG\", \"SCANWSCS\", \"SCFManager\", \"SCFService\", \"SCFTray\", \"SDTrayApp\", \"SEVINST\", \"SMEX_ActiveUpdate\",\n",
    "          \"SMEX_Master\", \"SMEX_RemoteConf\", \"SMEX_SystemWatch\", \"SMSECtrl\", \"SMSELog\", \"SMSESJM\", \"SMSESp\", \"SMSESrv\",\n",
    "          \"SMSETask\", \"SMSEUI\", \"SNAC\", \"SNAC\", \"SNDMon\", \"SNDSrvc\", \"SPBBCSvc\", \"SPIDERML\", \"SPIDERNT\", \"SSM\",\n",
    "          \"SSScheduler\", \"SVCharge\", \"SVDealer\", \"SVFrame\", \"SVTray\", \"SWNETSUP\", \"SavRoam\", \"SavService\", \"SavUI\",\n",
    "          \"ScanMailOutLook\", \"SeAnalyzerTool\", \"SemSvc\", \"SescLU\", \"SetupGUIMngr\", \"SiteAdv\", \"Smc\", \"SmcGui\",\n",
    "          \"SnHwSrv\", \"SnICheckAdm\", \"SnIcon\", \"SnSrv\", \"SnicheckSrv\", \"SpIDerAgent\", \"SpntSvc\", \"SpyEmergency\",\n",
    "          \"SpyEmergencySrv\", \"StOPP\", \"StWatchDog\", \"SymCorpUI\", \"SymSPort\", \"TBMon\", \"TFGui\", \"TFService\", \"TFTray\",\n",
    "          \"TFun\", \"TIASPN~1\", \"TSAnSrf\", \"TSAtiSy\", \"TScutyNT\", \"TSmpNT\", \"TmListen\", \"TmPfw\", \"Tmntsrv\", \"Traflnsp\",\n",
    "          \"TrapTrackerMgr\", \"UPSCHD\", \"UcService\", \"UdaterUI\", \"UmxAgent\", \"UmxCfg\", \"UmxFwHlp\", \"UmxPol\", \"Up2date\",\n",
    "          \"UpdaterUI\", \"UrlLstCk\", \"UserActivity\", \"UserAnalysis\", \"UsrPrmpt\", \"V3Medic\", \"V3Svc\", \"VPC32\", \"VPDN_LU\",\n",
    "          \"VPTray\", \"VSStat\", \"VsStat\", \"VsTskMgr\", \"WEBPROXY\", \"WFXCTL32\", \"WFXMOD32\", \"WFXSNT40\", \"WebProxy\",\n",
    "          \"WebScanX\", \"WinRoute\", \"WrSpySetup\", \"ZLH\", \"Zanda\", \"ZhuDongFangYu\", \"Zlh\", \"_avp32\", \"_avpcc\", \"_avpm\",\n",
    "          \"aAvgApi\", \"aawservice\", \"acaif\", \"acctmgr\", \"ackwin32\", \"aclient\", \"adaware\", \"advxdwin\", \"aexnsagent\",\n",
    "          \"aexsvc\", \"aexswdusr\", \"aflogvw\", \"afwServ\", \"agentsvr\", \"agentw\", \"ahnrpt\", \"ahnsd\", \"ahnsdsv\", \"alertsvc\",\n",
    "          \"alevir\", \"alogserv\", \"alsvc\", \"alunotify\", \"aluschedulersvc\", \"amon9x\", \"amswmagt\", \"anti-trojan\", \"antiarp\",\n",
    "          \"antivirus\", \"ants\", \"aphost\", \"apimonitor\", \"aplica32\", \"aps\", \"apvxdwin\", \"arr\", \"ashAvast\", \"ashBug\",\n",
    "          \"ashChest\", \"ashCmd\", \"ashDisp\", \"ashEnhcd\", \"ashLogV\", \"ashMaiSv\", \"ashPopWz\", \"ashQuick\", \"ashServ\",\n",
    "          \"ashSimp2\", \"ashSimpl\", \"ashSkPcc\", \"ashSkPck\", \"ashUpd\", \"ashWebSv\", \"ashdisp\", \"ashmaisv\", \"ashserv\",\n",
    "          \"ashwebsv\", \"asupport\", \"aswDisp\", \"aswRegSvr\", \"aswServ\", \"aswUpdSv\", \"aswUpdsv\", \"aswWebSv\", \"aswupdsv\",\n",
    "          \"atcon\", \"atguard\", \"atro55en\", \"atupdater\", \"atwatch\", \"atwsctsk\", \"au\", \"aupdate\", \"aupdrun\", \"aus\",\n",
    "          \"auto-protect.nav80try\", \"autodown\", \"autotrace\", \"autoup\", \"autoupdate\", \"avEngine\", \"avadmin\", \"avcenter\",\n",
    "          \"avconfig\", \"avconsol\", \"ave32\", \"avengine\", \"avesvc\", \"avfwsvc\", \"avgam\", \"avgamsvr\", \"avgas\", \"avgcc\",\n",
    "          \"avgcc32\", \"avgcsrvx\", \"avgctrl\", \"avgdiag\", \"avgemc\", \"avgfws8\", \"avgfws9\", \"avgfwsrv\", \"avginet\", \"avgmsvr\",\n",
    "          \"avgnsx\", \"avgnt\", \"avgregcl\", \"avgrssvc\", \"avgrsx\", \"avgscanx\", \"avgserv\", \"avgserv9\", \"avgsystx\", \"avgtray\",\n",
    "          \"avguard\", \"avgui\", \"avgupd\", \"avgupdln\", \"avgupsvc\", \"avgvv\", \"avgw\", \"avgwb\", \"avgwdsvc\", \"avgwizfw\",\n",
    "          \"avkpop\", \"avkserv\", \"avkservice\", \"avkwctl9\", \"avltmain\", \"avmailc\", \"avmcdlg\", \"avnotify\", \"avnt\", \"avp\",\n",
    "          \"avp32\", \"avpcc\", \"avpdos32\", \"avpexec\", \"avpm\", \"avpncc\", \"avps\", \"avptc32\", \"avpupd\", \"avscan\", \"avsched32\",\n",
    "          \"avserver\", \"avshadow\", \"avsynmgr\", \"avwebgrd\", \"avwin\", \"avwin95\", \"avwinnt\", \"avwupd\", \"avwupd32\",\n",
    "          \"avwupsrv\", \"avxmonitor9x\", \"avxmonitornt\", \"avxquar\", \"backweb\", \"bargains\", \"basfipm\", \"bd_professional\",\n",
    "          \"bdagent\", \"bdc\", \"bdlite\", \"bdmcon\", \"bdss\", \"bdsubmit\", \"beagle\", \"belt\", \"bidef\", \"bidserver\", \"bipcp\",\n",
    "          \"bipcpevalsetup\", \"bisp\", \"blackd\", \"blackice\", \"blink\", \"blss\", \"bmrt\", \"bootconf\", \"bootwarn\", \"borg2\",\n",
    "          \"bpc\", \"bpk\", \"brasil\", \"bs120\", \"bundle\", \"bvt\", \"bwgo0000\", \"ca\", \"caav\", \"caavcmdscan\", \"caavguiscan\",\n",
    "          \"caf\", \"cafw\", \"caissdt\", \"capfaem\", \"capfasem\", \"capfsem\", \"capmuamagt\", \"casc\", \"casecuritycenter\",\n",
    "          \"caunst\", \"cavrep\", \"cavrid\", \"cavscan\", \"cavtray\", \"ccApp\", \"ccEvtMgr\", \"ccLgView\", \"ccProxy\", \"ccSetMgr\",\n",
    "          \"ccSetmgr\", \"ccSvcHst\", \"ccap\", \"ccapp\", \"ccevtmgr\", \"cclaw\", \"ccnfagent\", \"ccprovsp\", \"ccproxy\", \"ccpxysvc\",\n",
    "          \"ccschedulersvc\", \"ccsetmgr\", \"ccsmagtd\", \"ccsvchst\", \"ccsystemreport\", \"cctray\", \"ccupdate\", \"cdp\", \"cfd\",\n",
    "          \"cfftplugin\", \"cfgwiz\", \"cfiadmin\", \"cfiaudit\", \"cfinet\", \"cfinet32\", \"cfnotsrvd\", \"cfp\", \"cfpconfg\",\n",
    "          \"cfpconfig\", \"cfplogvw\", \"cfpsbmit\", \"cfpupdat\", \"cfsmsmd\", \"checkup\", \"cka\", \"clamscan\", \"claw95\",\n",
    "          \"claw95cf\", \"clean\", \"cleaner\", \"cleaner3\", \"cleanpc\", \"cleanup\", \"click\", \"cmdagent\", \"cmdinstall\", \"cmesys\",\n",
    "          \"cmgrdian\", \"cmon016\", \"comHost\", \"connectionmonitor\", \"control_panel\", \"cpd\", \"cpdclnt\", \"cpf\", \"cpf9x206\",\n",
    "          \"cpfnt206\", \"crashrep\", \"csacontrol\", \"csinject\", \"csinsm32\", \"csinsmnt\", \"csrss_tc\", \"ctrl\", \"cv\", \"cwnb181\",\n",
    "          \"cwntdwmo\", \"cz\", \"datemanager\", \"dbserv\", \"dbsrv9\", \"dcomx\", \"defalert\", \"defscangui\", \"defwatch\",\n",
    "          \"deloeminfs\", \"deputy\", \"diskmon\", \"divx\", \"djsnetcn\", \"dllcache\", \"dllreg\", \"doors\", \"doscan\", \"dpf\",\n",
    "          \"dpfsetup\", \"dpps2\", \"drwagntd\", \"drwatson\", \"drweb\", \"drweb32\", \"drweb32w\", \"drweb386\", \"drwebcgp\",\n",
    "          \"drwebcom\", \"drwebdc\", \"drwebmng\", \"drwebscd\", \"drwebupw\", \"drwebwcl\", \"drwebwin\", \"drwupgrade\", \"dsmain\",\n",
    "          \"dssagent\", \"dvp95\", \"dvp95_0\", \"dwengine\", \"dwhwizrd\", \"dwwin\", \"ecengine\", \"edisk\", \"efpeadm\", \"egui\",\n",
    "          \"ekrn\", \"elogsvc\", \"emet_agent\", \"emet_service\", \"emsw\", \"engineserver\", \"ent\", \"era\", \"esafe\", \"escanhnt\",\n",
    "          \"escanv95\", \"esecagntservice\", \"esecservice\", \"esmagent\", \"espwatch\", \"etagent\", \"ethereal\", \"etrustcipe\",\n",
    "          \"evpn\", \"evtProcessEcFile\", \"evtarmgr\", \"evtmgr\", \"exantivirus-cnet\", \"exe.avxw\", \"execstat\", \"expert\",\n",
    "          \"explore\", \"f-agnt95\", \"f-prot\", \"f-prot95\", \"f-stopw\", \"fameh32\", \"fast\", \"fch32\", \"fih32\", \"findviru\",\n",
    "          \"firesvc\", \"firetray\", \"firewall\", \"fmon\", \"fnrb32\", \"fortifw\", \"fp-win\", \"fp-win_trial\", \"fprot\",\n",
    "          \"frameworkservice\", \"frminst\", \"frw\", \"fsaa\", \"fsaua\", \"fsav\", \"fsav32\", \"fsav530stbyb\", \"fsav530wtbyb\",\n",
    "          \"fsav95\", \"fsavgui\", \"fscuif\", \"fsdfwd\", \"fsgk32\", \"fsgk32st\", \"fsguidll\", \"fsguiexe\", \"fshdll32\", \"fsm32\",\n",
    "          \"fsma32\", \"fsmb32\", \"fsorsp\", \"fspc\", \"fspex\", \"fsqh\", \"fssm32\", \"fwinst\", \"gator\", \"gbmenu\", \"gbpoll\",\n",
    "          \"gcascleaner\", \"gcasdtserv\", \"gcasinstallhelper\", \"gcasnotice\", \"gcasserv\", \"gcasservalert\", \"gcasswupdater\",\n",
    "          \"generics\", \"gfireporterservice\", \"ghost_2\", \"ghosttray\", \"giantantispywaremain\", \"giantantispywareupdater\",\n",
    "          \"gmt\", \"guard\", \"guarddog\", \"guardgui\", \"hacktracersetup\", \"hbinst\", \"hbsrv\", \"hipsvc\", \"hotactio\",\n",
    "          \"hotpatch\", \"htlog\", \"htpatch\", \"hwpe\", \"hxdl\", \"hxiul\", \"iamapp\", \"iamserv\", \"iamstats\", \"ibmasn\", \"ibmavsp\",\n",
    "          \"icepack\", \"icload95\", \"icloadnt\", \"icmon\", \"icsupp95\", \"icsuppnt\", \"idle\", \"iedll\", \"iedriver\", \"iface\",\n",
    "          \"ifw2000\", \"igateway\", \"inetlnfo\", \"infus\", \"infwin\", \"inicio\", \"init\", \"inonmsrv\", \"inorpc\", \"inort\",\n",
    "          \"inotask\", \"intdel\", \"intren\", \"iomon98\", \"isPwdSvc\", \"isUAC\", \"isafe\", \"isafinst\", \"issvc\", \"istsvc\",\n",
    "          \"jammer\", \"jdbgmrg\", \"jedi\", \"kaccore\", \"kansgui\", \"kansvr\", \"kastray\", \"kav\", \"kav32\", \"kavfs\", \"kavfsgt\",\n",
    "          \"kavfsrcn\", \"kavfsscs\", \"kavfswp\", \"kavisarv\", \"kavlite40eng\", \"kavlotsingleton\", \"kavmm\", \"kavpers40eng\",\n",
    "          \"kavpf\", \"kavshell\", \"kavss\", \"kavstart\", \"kavsvc\", \"kavtray\", \"kazza\", \"keenvalue\", \"kerio-pf-213-en-win\",\n",
    "          \"kerio-wrl-421-en-win\", \"kerio-wrp-421-en-win\", \"kernel32\", \"killprocesssetup161\", \"kis\", \"kislive\", \"kissvc\",\n",
    "          \"klnacserver\", \"klnagent\", \"klserver\", \"klswd\", \"klwtblfs\", \"kmailmon\", \"knownsvr\", \"kpf4gui\", \"kpf4ss\",\n",
    "          \"kpfw32\", \"kpfwsvc\", \"krbcc32s\", \"kvdetech\", \"kvolself\", \"kvsrvxp\", \"kvsrvxp_1\", \"kwatch\", \"kwsprod\",\n",
    "          \"kxeserv\", \"launcher\", \"ldnetmon\", \"ldpro\", \"ldpromenu\", \"ldscan\", \"leventmgr\", \"livesrv\", \"lmon\", \"lnetinfo\",\n",
    "          \"loader\", \"localnet\", \"lockdown\", \"lockdown2000\", \"log_qtine\", \"lookout\", \"lordpe\", \"lsetup\", \"luall\", \"luau\",\n",
    "          \"lucallbackproxy\", \"lucoms\", \"lucomserver\", \"lucoms~1\", \"luinit\", \"luspt\", \"makereport\", \"mantispm\",\n",
    "          \"mapisvc32\", \"masalert\", \"massrv\", \"mcafeefire\", \"mcagent\", \"mcappins\", \"mcconsol\", \"mcdash\", \"mcdetect\",\n",
    "          \"mcepoc\", \"mcepocfg\", \"mcinfo\", \"mcmnhdlr\", \"mcmscsvc\", \"mcods\", \"mcpalmcfg\", \"mcpromgr\", \"mcregwiz\",\n",
    "          \"mcscript\", \"mcscript_inuse\", \"mcshell\", \"mcshield\", \"mcshld9x\", \"mcsysmon\", \"mctool\", \"mctray\", \"mctskshd\",\n",
    "          \"mcuimgr\", \"mcupdate\", \"mcupdmgr\", \"mcvsftsn\", \"mcvsrte\", \"mcvsshld\", \"mcwce\", \"mcwcecfg\", \"md\", \"mfeann\",\n",
    "          \"mfevtps\", \"mfin32\", \"mfw2en\", \"mfweng3.02d30\", \"mgavrtcl\", \"mgavrte\", \"mghtml\", \"mgui\", \"minilog\", \"mmod\",\n",
    "          \"monitor\", \"monsvcnt\", \"monsysnt\", \"moolive\", \"mostat\", \"mpcmdrun\", \"mpf\", \"mpfagent\", \"mpfconsole\",\n",
    "          \"mpfservice\", \"mpftray\", \"mps\", \"mpsevh\", \"mpsvc\", \"mrf\", \"mrflux\", \"msapp\", \"msascui\", \"msbb\", \"msblast\",\n",
    "          \"mscache\", \"msccn32\", \"mscifapp\", \"mscman\", \"msconfig\", \"msdm\", \"msdos\", \"msiexec16\", \"mskagent\", \"mskdetct\",\n",
    "          \"msksrver\", \"msksrvr\", \"mslaugh\", \"msmgt\", \"msmpeng\", \"msmsgri32\", \"msscli\", \"msseces\", \"mssmmc32\", \"msssrv\",\n",
    "          \"mssys\", \"msvxd\", \"mu0311ad\", \"mwatch\", \"myagttry\", \"n32scanw\", \"nSMDemf\", \"nSMDmon\", \"nSMDreal\", \"nSMDsch\",\n",
    "          \"naPrdMgr\", \"nav\", \"navap.navapsvc\", \"navapsvc\", \"navapw32\", \"navdx\", \"navlu32\", \"navnt\", \"navstub\", \"navw32\",\n",
    "          \"navwnt\", \"nc2000\", \"ncinst4\"]\n",
    "av1 = [\"MSASCuiL\", \"CylanceSvc\", \"ndd32\", \"ndetect\", \"neomonitor\", \"neotrace\", \"neowatchlog\", \"netalertclient\",\n",
    "           \"netarmor\", \"netcfg\", \"netd32\", \"netinfo\", \"netmon\", \"netscanpro\", \"netspyhunter-1.2\", \"netstat\", \"netutils\",\n",
    "           \"networx\", \"ngctw32\", \"ngserver\", \"nip\", \"nipsvc\", \"nisoptui\", \"nisserv\", \"nisum\", \"njeeves\", \"nlsvc\",\n",
    "           \"nmain\", \"nod32\", \"nod32krn\", \"nod32kui\", \"normist\", \"norton_internet_secu_3.0_407\", \"notstart\",\n",
    "           \"npf40_tw_98_nt_me_2k\", \"npfmessenger\", \"npfmntor\", \"npfmsg\", \"nprotect\", \"npscheck\", \"npssvc\", \"nrmenctb\",\n",
    "           \"nsched32\", \"nscsrvce\", \"nsctop\", \"nsmdtr\", \"nssys32\", \"nstask32\", \"nsupdate\", \"nt\", \"ntcaagent\",\n",
    "           \"ntcadaemon\", \"ntcaservice\", \"ntrtscan\", \"ntvdm\", \"ntxconfig\", \"nui\", \"nupgrade\", \"nvarch16\", \"nvc95\",\n",
    "           \"nvcoas\", \"nvcsched\", \"nvsvc32\", \"nwinst4\", \"nwservice\", \"nwtool16\", \"nymse\", \"oasclnt\", \"oespamtest\",\n",
    "           \"ofcdog\", \"ofcpfwsvc\", \"okclient\", \"olfsnt40\", \"ollydbg\", \"onsrvr\", \"op_viewer\", \"opscan\", \"optimize\",\n",
    "           \"ostronet\", \"otfix\", \"outpost\", \"outpostinstall\", \"outpostproinstall\", \"paamsrv\", \"padmin\", \"pagent\",\n",
    "           \"pagentwd\", \"panixk\", \"patch\", \"pavbckpt\", \"pavcl\", \"pavfires\", \"pavfnsvr\", \"pavjobs\", \"pavkre\", \"pavmail\",\n",
    "           \"pavprot\", \"pavproxy\", \"pavprsrv\", \"pavsched\", \"pavsrv50\", \"pavsrv51\", \"pavsrv52\", \"pavupg\", \"pavw\", \"pccNT\",\n",
    "           \"pccclient\", \"pccguide\", \"pcclient\", \"pccnt\", \"pccntmon\", \"pccntupd\", \"pccpfw\", \"pcctlcom\", \"pccwin98\",\n",
    "           \"pcfwallicon\", \"pcip10117_0\", \"pcscan\", \"pctsAuxs\", \"pctsGui\", \"pctsSvc\", \"pctsTray\", \"pdsetup\", \"pep\",\n",
    "           \"periscope\", \"persfw\", \"perswf\", \"pf2\", \"pfwadmin\", \"pgmonitr\", \"pingscan\", \"platin\", \"pmon\", \"pnmsrv\",\n",
    "           \"pntiomon\", \"pop3pack\", \"pop3trap\", \"poproxy\", \"popscan\", \"portdetective\", \"portmonitor\", \"powerscan\",\n",
    "           \"ppinupdt\", \"ppmcativedetection\", \"pptbc\", \"ppvstop\", \"pqibrowser\", \"pqv2isvc\", \"prevsrv\", \"prizesurfer\",\n",
    "           \"prmt\", \"prmvr\", \"programauditor\", \"proport\", \"protectx\", \"psctris\", \"psh_svc\", \"psimreal\", \"psimsvc\",\n",
    "           \"pskmssvc\", \"pspf\", \"purge\", \"pview\", \"pviewer\", \"pxemtftp\", \"pxeservice\", \"qclean\", \"qconsole\", \"qdcsfs\",\n",
    "           \"qoeloader\", \"qserver\", \"rapapp\", \"rapuisvc\", \"ras\", \"rasupd\", \"rav7\", \"rav7win\", \"rav8win32eng\", \"ravmon\",\n",
    "           \"ravmond\", \"ravstub\", \"ravxp\", \"ray\", \"rb32\", \"rcsvcmon\", \"rcsync\", \"realmon\", \"reged\", \"remupd\",\n",
    "           \"reportsvc\", \"rescue\", \"rescue32\", \"rfwmain\", \"rfwproxy\", \"rfwsrv\", \"rfwstub\", \"rnav\", \"rrguard\", \"rshell\",\n",
    "           \"rsnetsvr\", \"rstray\", \"rtvscan\", \"rtvscn95\", \"rulaunch\", \"saHookMain\", \"safeboxtray\", \"safeweb\",\n",
    "           \"sahagentscan32\", \"sav32cli\", \"save\", \"savenow\", \"savroam\", \"savscan\", \"savservice\", \"sbserv\", \"scam32\",\n",
    "           \"scan32\", \"scan95\", \"scanexplicit\", \"scanfrm\", \"scanmailoutlook\", \"scanpm\", \"schdsrvc\", \"schupd\", \"scrscan\",\n",
    "           \"seestat\", \"serv95\", \"setloadorder\", \"setup_flowprotector_us\", \"setupguimngr\", \"setupvameeval\", \"sfc\",\n",
    "           \"sgssfw32\", \"sh\", \"shellspyinstall\", \"shn\", \"showbehind\", \"shstat\", \"siteadv\", \"smOutlookPack\", \"smc\",\n",
    "           \"smoutlookpack\", \"sms\", \"smsesp\", \"smss32\", \"sndmon\", \"sndsrvc\", \"soap\", \"sofi\", \"softManager\", \"spbbcsvc\",\n",
    "           \"spf\", \"sphinx\", \"spideragent\", \"spiderml\", \"spidernt\", \"spiderui\", \"spntsvc\", \"spoler\", \"spoolcv\",\n",
    "           \"spoolsv32\", \"spyxx\", \"srexe\", \"srng\", \"srvload\", \"srvmon\", \"ss3edit\", \"sschk\", \"ssg_4104\", \"ssgrate\", \"st2\",\n",
    "           \"stcloader\", \"stinger\", \"stopp\", \"stwatchdog\", \"supftrl\", \"support\", \"supporter5\", \"svcGenericHost\",\n",
    "           \"svcharge\", \"svchostc\", \"svchosts\", \"svcntaux\", \"svdealer\", \"svframe\", \"svtray\", \"swdsvc\", \"sweep95\",\n",
    "           \"sweepnet.sweepsrv.sys.swnetsup\", \"sweepsrv\", \"swnetsup\", \"swnxt\", \"swserver\", \"symlcsvc\", \"symproxysvc\",\n",
    "           \"symsport\", \"symtray\", \"symwsc\", \"sysdoc32\", \"sysedit\", \"sysupd\", \"taskmo\", \"taumon\", \"tbmon\", \"tbscan\",\n",
    "           \"tc\", \"tca\", \"tclproc\", \"tcm\", \"tdimon\", \"tds-3\", \"tds2-98\", \"tds2-nt\", \"teekids\", \"tfak\", \"tfak5\", \"tgbob\",\n",
    "           \"titanin\", \"titaninxp\", \"tmas\", \"tmlisten\", \"tmntsrv\", \"tmpfw\", \"tmproxy\", \"tnbutil\", \"tpsrv\",\n",
    "           \"tracesweeper\", \"trickler\", \"trjscan\", \"trjsetup\", \"trojantrap3\", \"trupd\", \"tsadbot\", \"tvmd\", \"tvtmd\",\n",
    "           \"udaterui\", \"undoboot\", \"unvet32\", \"updat\", \"updtnv28\", \"upfile\", \"upgrad\", \"uplive\", \"urllstck\", \"usergate\",\n",
    "           \"usrprmpt\", \"utpost\", \"v2iconsole\", \"v3clnsrv\", \"v3exec\", \"v3imscn\", \"vbcmserv\", \"vbcons\", \"vbust\",\n",
    "           \"vbwin9x\", \"vbwinntw\", \"vcsetup\", \"vet32\", \"vet95\", \"vetmsg\", \"vettray\", \"vfsetup\", \"vir-help\",\n",
    "           \"virusmdpersonalfirewall\", \"vnlan300\", \"vnpc3000\", \"vpatch\", \"vpc32\", \"vpc42\", \"vpfw30s\", \"vprosvc\",\n",
    "           \"vptray\", \"vrv\", \"vrvmail\", \"vrvmon\", \"vrvnet\", \"vscan40\", \"vscenu6.02d30\", \"vsched\", \"vsecomr\", \"vshwin32\",\n",
    "           \"vsisetup\", \"vsmain\", \"vsmon\", \"vsserv\", \"vsstat\", \"vstskmgr\", \"vswin9xe\", \"vswinntse\", \"vswinperse\",\n",
    "           \"w32dsm89\", \"w9x\", \"watchdog\", \"webdav\", \"webproxy\", \"webscanx\", \"webtrap\", \"webtrapnt\", \"wfindv32\",\n",
    "           \"wfxctl32\", \"wfxmod32\", \"wfxsnt40\", \"whoswatchingme\", \"wimmun32\", \"win-bugsfix\", \"winactive\", \"winmain\",\n",
    "           \"winnet\", \"winppr32\", \"winrecon\", \"winroute\", \"winservn\", \"winssk32\", \"winstart\", \"winstart001\", \"wintsk32\",\n",
    "           \"winupdate\", \"wkufind\", \"wnad\", \"wnt\", \"wradmin\", \"wrctrl\", \"wsbgate\", \"wssfcmai\", \"wupdater\", \"wupdt\",\n",
    "           \"wyvernworksfirewall\", \"xagt\", \"xagtnotif\", \"xcommsvr\", \"xfilter\", \"xpf202en\", \"zanda\", \"zapro\",\n",
    "           \"zapsetup3001\", \"zatutor\", \"zhudongfangyu\", \"zlclient\", \"zlh\", \"zonalm2601\", \"zonealarm\"]\n",
    "admin = [\"Code\", \"notepad++\", \"notepad\", \"cmd\", \"drwatson\", \"DRWTSN32\", \"drwtsn32\", \"dumpcap\", \"ethereal\",\n",
    "             \"filemon\", \"idag\", \"idaw\", \"k1205\", \"loader32\", \"netmon\", \"netstat\", \"netxray\", \"NmWebService\",\n",
    "             \"nukenabber\", \"portmon\", \"powershell\", \"PRTG Traffic Gr\", \"PRTG Traffic Grapher\", \"prtgwatchdog\", \"putty\",\n",
    "             \"regmon\", \"SystemEye\", \"taskman\", \"TASKMGR\", \"tcpview\", \"Totalcmd\", \"TrafMonitor\", \"windbg\", \"winobj\",\n",
    "             \"wireshark\", \"WMonAvNScan\", \"WMonAvScan\", \"WMonSrv\", \"regedit\", \"regedit32\", \"accesschk\", \"accesschk64\",\n",
    "             \"AccessEnum\", \"ADExplorer\", \"ADInsight\", \"adrestore\", \"Autologon\", \"Autoruns\", \"Autoruns64\", \"autorunsc\",\n",
    "             \"autorunsc64\", \"Bginfo\", \"Bginfo64\", \"Cacheset\", \"Clockres\", \"Clockres64\", \"Contig\", \"Contig64\",\n",
    "             \"Coreinfo\", \"ctrl2cap\", \"Dbgview\", \"Desktops\", \"disk2vhd\", \"diskext\", \"diskext64\", \"Diskmon\", \"DiskView\",\n",
    "             \"du\", \"du64\", \"efsdump\", \"FindLinks\", \"FindLinks64\", \"handle\", \"handle64\", \"hex2dec\", \"hex2dec64\",\n",
    "             \"junction\", \"junction64\", \"ldmdump\", \"Listdlls\", \"Listdlls64\", \"livekd\", \"livekd64\", \"LoadOrd\",\n",
    "             \"LoadOrd64\", \"LoadOrdC\", \"LoadOrdC64\", \"logonsessions\", \"logonsessions64\", \"movefile\", \"movefile64\",\n",
    "             \"notmyfault\", \"notmyfault64\", \"notmyfaultc\", \"notmyfaultc64\", \"ntfsinfo\", \"ntfsinfo64\", \"pagedfrg\",\n",
    "             \"pendmoves\", \"pendmoves64\", \"pipelist\", \"pipelist64\", \"portmon\", \"procdump\", \"procdump64\", \"procexp\",\n",
    "             \"procexp64\", \"Procmon\", \"PsExec\", \"PsExec64\", \"psfile\", \"psfile64\", \"PsGetsid\", \"PsGetsid64\", \"PsInfo\",\n",
    "             \"PsInfo64\", \"pskill\", \"pskill64\", \"pslist\", \"pslist64\", \"PsLoggedon\", \"PsLoggedon64\", \"psloglist\",\n",
    "             \"pspasswd\", \"pspasswd64\", \"psping\", \"psping64\", \"PsService\", \"PsService64\", \"psshutdown\", \"pssuspend\",\n",
    "             \"pssuspend64\", \"RAMMap\", \"RegDelNull\", \"RegDelNull64\", \"regjump\", \"ru\", \"ru64\", \"sdelete\", \"sdelete64\",\n",
    "             \"ShareEnum\", \"ShellRunas\", \"sigcheck\", \"sigcheck64\", \"streams\", \"streams64\", \"strings\", \"strings64\",\n",
    "             \"sync\", \"sync64\", \"Sysmon\", \"Sysmon64\", \"Tcpvcon\", \"Tcpview\", \"Testlimit\", \"Testlimit64\", \"vmmap\",\n",
    "             \"Volumeid\", \"Volumeid64\", \"whois\", \"whois64\", \"Winobj\", \"ZoomIt\"]\n",
    "browsers = [\"chrome\", \"firefox\", \"iexplore\", \"MicrosoftEdgeCP\", \"msedge\"]"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "e04da860-ba1a-4417-a304-7c56825f5f0f",
   "metadata": {},
   "outputs": [],
   "source": [
    "async def get_tag_type(mythic_instance: mythic.mythic_classes.Mythic, tag_type_name: str) -> int:\n",
    "    global current_tag_types\n",
    "    for tag_type in current_tag_types:\n",
    "        if tag_type[\"name\"] == tag_type_name:\n",
    "            return tag_type[\"id\"]\n",
    "    # create the tagtype and add it to the running list\n",
    "    new_tag_type = await mythic.create_tag_type(mythic=mythic_instance, color=tagtypeDefinitions[tag_type_name][\"color\"],\n",
    "                                                description=tagtypeDefinitions[tag_type_name][\"description\"],\n",
    "                                                name=tag_type_name)\n",
    "    current_tag_types.append({**new_tag_type, \"name\": tag_type_name})\n",
    "    return new_tag_type[\"id\"]"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "7fe34925-7c27-4707-9f23-92d3e2cb987d",
   "metadata": {},
   "outputs": [],
   "source": [
    "async def add_tag_to_process(mythic_instance: mythic.mythic_classes.Mythic, process: dict, tag_type_name: str):\n",
    "    tag_type_id = await get_tag_type(mythic_instance=mythic_instance, tag_type_name=tag_type_name)\n",
    "    for t in process[\"tags\"]:\n",
    "        if t[\"tagtype_id\"] == tag_type_id:\n",
    "            # we already have this tag on this process\n",
    "            return\n",
    "    await mythic.create_tag(mythic=mythic_instance, tag_type_id=tag_type_id, source=\"mythic scripting\",\n",
    "                            url=\"https://github.com/ars3n11/Aggressor-Scripts/blob/master/ProcessTree.cna\",\n",
    "                            data=\"\", mythictree_ids=[process[\"id\"]])"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "a668c03b-37d2-4322-86b6-6cbbc021704f",
   "metadata": {},
   "outputs": [],
   "source": [
    "print(\"[*] Logging into Mythic\")\n",
    "mythic_instance = await mythic.login(\n",
    "    username=\"mythic_admin\",\n",
    "    password=\"mythic_password\",\n",
    "    server_ip=\"mythic_nginx\",\n",
    "    server_port=7443,\n",
    "    timeout=-1\n",
    ")\n",
    "print(\"[+] Logged into Mythic\")\n",
    "current_types = await mythic.get_all_tag_types(mythic=mythic_instance)\n",
    "current_tag_types = current_types[\"tagtype\"]\n",
    "callbacks = await mythic.get_all_callbacks(mythic=mythic_instance)\n",
    "callback_ids = [str(x[\"pid\"]) for x in callbacks]\n",
    "\n",
    "async for process_batch in mythic.get_all_processes(mythic=mythic_instance, custom_return_attributes=\"\"\"\n",
    "tags {\n",
    "  tagtype_id\n",
    "}\n",
    "full_path_text\n",
    "name_text\n",
    "metadata\n",
    "id\n",
    "\"\"\"):\n",
    "    for process in process_batch:\n",
    "        #print(process[\"metadata\"])\n",
    "        if process[\"name_text\"] in av or process[\"name_text\"] in av1:\n",
    "            print(\"got av process\")\n",
    "            await add_tag_to_process(mythic_instance=mythic_instance, process=process, tag_type_name=\"EDR\")\n",
    "        elif process[\"name_text\"] in admin:\n",
    "            print(\"got admin process\")\n",
    "            await add_tag_to_process(mythic_instance=mythic_instance, process=process, tag_type_name=\"admin\")\n",
    "        elif process[\"name_text\"] in [\"explorer\", \"winlogon\"]:\n",
    "            await add_tag_to_process(mythic_instance=mythic_instance, process=process, tag_type_name=\"explorer\")\n",
    "            print(\"got explorer\")\n",
    "        elif process[\"name_text\"] in browsers:\n",
    "            await add_tag_to_process(mythic_instance=mythic_instance, process=process, tag_type_name=\"browser\")\n",
    "            print(\"got browsers\")\n",
    "        elif process[\"full_path_text\"] in callback_ids:\n",
    "            await add_tag_to_process(mythic_instance=mythic_instance, process=process, tag_type_name=\"agent\")\n",
    "            print(\"found callback\")\n",
    "print(\"[*] Done processing data\")"
   ]
  },
  {
   "cell_type": "code",
   "execution_count": null,
   "id": "7669eba4-9207-42ba-b78c-71bd34809f99",
   "metadata": {},
   "outputs": [],
   "source": []
  }
 ],
 "metadata": {
  "kernelspec": {
   "display_name": "Python 3 (ipykernel)",
   "language": "python",
   "name": "python3"
  },
  "language_info": {
   "codemirror_mode": {
    "name": "ipython",
    "version": 3
   },
   "file_extension": ".py",
   "mimetype": "text/x-python",
   "name": "python",
   "nbconvert_exporter": "python",
   "pygments_lexer": "ipython3",
   "version": "3.10.11"
  }
 },
 "nbformat": 4,
 "nbformat_minor": 5
}
